[opencms-dev] Email address as username for logging-in web users
Mike Bachrynowski
mikeb at tableau.co.uk
Thu Nov 18 14:05:08 CET 2004
I think OpenCms should continue to not accept the use of @ in the
username (if that is what it does).
I think using an email address as a user identifier is a security
practice to be avoided.
It is usually possible to guess the email rules for a company and then
work out possible email addresses for individuals within a company.
Email addresses should be regarded as in the public domain. In a
typical secure system after a number of failed logon attempts the logon
identifier is disabled (either for increasing periods of time or until a
manual reset). Therefore a simple web robot script (using a utility
like wget) could push through vast numbers of invalid passwords and
execute a sustained denial of service attack.
Mike
-----Original Message-----
From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of James
Sent: 18 November 2004 11:54
To: opencms-dev at opencms.org
Subject: [opencms-dev] Email address as username for logging-in web
users
I realise that the username goes through validFilename(String) and does
not accept the use of @.
I've started to implement --> userName = userName.replaceAll("@",
"-----");
But has anyone else
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.797 / Virus Database: 541 - Release Date: 15/11/2004
More information about the opencms-dev
mailing list